Can't connect between droplets using public IP

February 10, 2018 443 views
Networking CentOS
kevbuk
By:
kevbuk

I'm randomly having problems connecting between droplets via the public IP. I can connect to all droplets from my local machine (ping, SSH, etc) but between SOME droplets I cannot connect when using the public IP. Private IP seems unaffected:

[root@docker-2 ~]# ping 159.65.12.117
PING 159.65.12.117 (159.65.12.117) 56(84) bytes of data.
From 159.65.12.166 icmp_seq=1 Destination Host Unreachable

(159.65.12.117 is the public IP for another node, which I can ping and SSH to from my local machine directly using this IP)

But I can ping the same machine using it's private IP:

[root@docker-2 ~]# ping 10.130.73.188
PING 10.130.73.188 (10.130.73.188) 56(84) bytes of data.
64 bytes from 10.130.73.188: icmp_seq=1 ttl=64 time=1.72 ms

(10.130.73.188 is the private IP of 159.65.12.117)

This droplet is able to ping other servers over the internet, e.g.

[root@docker-2 ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=0.922 ms

There are no DO firewalls applied to any servers. All servers are Centos 7 with no firewalld and no custom networking rules applied, aside from those set up by Docker.

This seems to be random, since if I kill the droplet and reconfigure it, it sometimes starts to work. All droplets are configured by ansible and should be identical, yet some exhibit this problem and some do not.

Here's a tracepath result from the same droplet, showing first another droplet I can't reach and 2nd a droplet that I can reach. All 3 are in the same datacenter and all configured identically:

[root@docker-2 ~]# tracepath 159.89.211.191
1?: [LOCALHOST] pmtu 1500
1: 159.65.0.254 5.782ms 
1: 159.65.0.254 8.442ms 
2: 138.197.250.250 0.553ms 
3: no reply
4: no reply
5: no reply
[root@docker-2 ~]# tracepath 188.166.197.201
1?: [LOCALHOST] pmtu 1500
1: 159.65.0.253 17.165ms 
1: 159.65.0.253 3.751ms 
2: 138.197.250.252 0.519ms 
3: 138.197.250.211 0.432ms 
4: 188.166.197.201 0.835ms reached
Resume: pmtu 1500 hops 4 back 4

Please help. I'm new to DO and surprised how long it takes to get a support ticket answered so I'm trying here.

3 comments
  • I can reproduce this on fresh droplets with no configuration.

    Steps to reproduce:

    1. Create 3 or 4 new droplets, private networking enabled, no firewall (I used Ubuntu this time)
    2. SSH to each droplet and ping the others, in turn, using the public IP

    Expected result:
    Can ping each droplet from every other

    Actual:
    Some droplets give "No route to host"

    I am absolutely stumped by this. I was in the process of migrating a docker swarm cluser from another provider but I'm just about ready to give up on DO because of this.

  • If any staff read this, my ticket is #1113618. Hopefully I get some kind of support on this or I'll have to abandon my migration completely and look elsewhere.

  • How long does a support ticket usually take to answer?

    This is looking like a poor experience for my first few days on DigitalOcean...

1 Answer

Yes, you can connect between droplets using the public IP. the connection(s) I do believe count towards your bandwidth.

I would suggest enabling private networking so that you can connect between dropets. Be aware the droplets need to be in the same region to take advantage of private networking

Have another answer? Share your knowledge.